When I buy books, I buy them most of the time online in my favorite bookstore.
The company is very huge in the world, I promised no one to tell who they are: They've got all my personal info, from my name to my accountnumber. So, I hope they protect their site against known XSS vectors, like we discus here. I thought about testing the website, and I did. I found the first hole in seconds and yeah in the searchfield. So their security is at risk, but moreover MY privacy is at risk now that i know all my data lies up for the grabs, as so to speak. So i did what i sworn never to do again: I contact them about this. Given them 5 days to fix the holes or else i would disclose their XSS holes.

3 days later i got an email, the Book Store thanked me very much for reporting these found holes. they've contacted IT and they are going to fix it A.S.A.P
Then i get a discount coupon from them, on my next order i can use it to order something with a very generous discount. :)

I guess it can pay of to be a little more diplomatic to contact them first about this, and see what happens. In any case, it came as a surprise.

Haha yeah if i give you the link you surely could try, but that XSS hole was so common, i don't think they patch them all on their sites. Maybe i'll disclose it, but after they fixed the one i found, a promise is a promise. ;)

It's nice to see a company appreciate what you did, rather than threatening legal action as a result of disclosing it to them.

All too often companies take a defensive stance to being informed of these things.

I even had one company tell me, after disclosing a SQL Injection vulnerability, "It's not that big of a concern to us, because our database is backed up everynight".

They were obviously oblivious to the true severity of the issue, even after I attempted to inform them of vast amount of things that could happen as a result of the vulnerability. I was finally sent a "thanks, but please stop bothering us about it" email.

1 from schneier, "secrets and lies" is a must have.
and the new one from Mitnick: "The Art of Intrusion" (not really crypto actually though :)

Looks like a nice book on the link you gave, didn't know that one. But mostly i'm sticking to the authors of crypto algo's like Ferguson, Schneier, Daemen, Rijmen, etc. when buying such books on that topic.